> talk talk talk. you always wanna carry on about something. :)
Yes, I don't always trust myself.
> I think we should all get together again and hash some stuff out.
> There's been several good ideas today. How bout monday? I'll get a case
> of delerium and we'll figure stuff out. Evidently offering good belgian
> ale makes everyone clear their day planers and actually show up :)
> Tomorrow I'm going to the Scottish Games with the family, sunday I have
> cleared for movie stuff.
>
> That all said, dig this crap:
> http://www.neverlight.com/pas/css.psp?foo=%3Cscript%3Ealert('oops')%3C/script%3E
>
> in one round of botched hackery, none of my pages are vulnerable to CSS
> attacks that use the <script tag. :)
Neato. That's pretty awesome. Why is the starting part of the tag
disappearing? Are you just stripping it or are you translating it into
an html entity? (< and >)
> Happy day. Now to make it not look like hell. Once I'm happy with
> implementation details, I'll merge it into the main pas tree.
>
> Right now, I'm doing everything in RequestHandler. We can break it out
> easily as I wrote my own inspect-the-request-and-break-it methods. I'm
> just not sure what the best way to go is.
How about in the request object? That seems like the right place for it.
When the request handler sets the query in the request, it could do
the key/val arg checking at that point. It seems more appropraite in
the request object instead of the handler. The handler should just set
things up and let them go.
> Should I make the config file the place where you specify what package
> RequestHandler should use to purify data? If I do that, should we
> support stacked (specialized) handlers? I dunno. Maybe I'm over
> engineering. I just wish I was more devious. I'm pretty much just
> wandering around security focus for no-brainer scripts to throw at the
> code. So I'm not at all sure how bullet proof this will be.
>
> Oh, and I'm not at all sure I know all the tricks you can do to sneak
> the tags past.
>
> Like script... it has to look like
> <script>
> or < script> or whatever... right? Like, there cant be anything between
> the word script and the closing bracket, right? so like..
> <script name> isnt the same thing. Sorry if this is dumb, but I think
> I'm down to one brain cell today.
>
> Anybody wanna help a brother out?
At least put in the first implementation -- we'll reworkit if necessary.
Some protection is better than zero.
Thanks,
Kyle
--
------------------------------------------------------------------------------
Wisdom and Compassion are inseparable.
-- Christmas Humphreys
mo...@vo... http://www.voicenet.com/~mortis
------------------------------------------------------------------------------
|
